The Patch is the Attack
A current assessment of the SolarWinds hack
The attack was first detected by the affected IT security company FireEye around December 8, 2020; FireEye warned against the use of its security products, but denied that stored, unpublished vulnerabilities (zero-day vulnerabilities) had been read. The perpetrators manipulated an update of the network monitoring platform Orion of SolarWinds Inc. in such a way that a backdoor (currently two have already been published – may be more next week) was installed in the approx. 18,000 of the approx. 300,000 customer systems (supply chain attack). Customers are the public sector in the USA, Great Britain and the world's largest companies in all sectors (defense companies, technology companies, banks, consulting, pharmaceutical/chemical, telecommunications and raw materials companies) in North America, Europe, Asia, the Middle East and in Germany too like all the states of the European Union.
Given the immense impact of the attack (copying of data and programs and manipulation of programs), the attack is likely to continue to be studied in detail - and also imitated, and attack documentation (despite an expected very high price) will be sold like hot cakes to criminals and interested security agencies. Companies and authorities should therefore prepare themselves by taking preventive measures. The probability of occurrence is rated internationally as very high.
U.S. federal agency systems were also compromised in the attack, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issuing an emergency directive instructing all federal agencies to immediately shut down affected Orion products.
The SolarWinds cyberattack is not an isolated incident. Microsoft alone has sent more than 13,000 warnings to customers in the last two years. The aim of the backdoor installation is to remotely control systems globally at this manufacturer's customers. At present, the perpetrators seem to be only partially concerned with financial success (extortion). This also applies to attacks in the healthcare sector; they are currently not (yet?) targeted specifically at individual patients.
The methods used by perpetrators are consistently at a very high technical level and demonstrate years of experience. Such specialists can be found not only in all industrialized countries, but also in so-called developing countries. However, such attack techniques are not researched and taught at public universities. The first criminal attempts date back to the beginning of the 1970s in Germany.
Summary and ideas
Attacks on IT systems are increasingly being carried out by companies specializing in them.
By escalating to the many victims of an attack (here approx. 18,000) the expenditure for the attack preparation sinks to about 500 K$ with an expected revenue of currently 500 - 10,000 K$... in each case per victim. Prefinancing is possible by organized crime or intelligence agencies. Further such technically well-crafted attacks can therefore be expected.
The attackers planned and implemented the attack over about 3 years. Between the first unauthorized access and the spying out of data and programs alone, about 6 - 18 months pass; this has already been pointed out by international studies (also in German-speaking countries).
An illusion is the frequently encountered opinion that once IT production is up and running again, the attack has been averted. In any case, restarting is not a sign of averted attacks. Unless at least the exploited attack points such as undetected security vulnerabilities (zero-day vulnerabilities), backdoors, covert channels and the like have been eliminated, renewed attacks must be expected. This is likely given the market power (technical capabilities, core personnel) of commercial hacking companies. The powerlessness in the face of the hacking companies also shows the helplessness of the affected U.S. government agencies.
Theoretically, only companies whose financial creditworthiness was considered sufficiently good by the perpetrators were attacked. The perpetrators attacked repeatedly (when the opportunity arose).
1. Current situation on the Internet
Politicians and also decision-makers largely lack an understanding of the risks of attacks on (their own) IT. Accordingly, the IT manager is asked whether everything is safe. Therefore, independent advice from 'outside' is not sought at all. Especially since the attackers usually proceed cautiously to conceal the attack from the victim for up to several years.
Of course, it was the Russians (Pompeo knows); but it was the Chinese (Trump guesses). Much speaks for Korea - but only because a Korean word was 'found' in the source code (maybe rather North Korea)? If you can't think of anything else, the hackers were at least 'close to the state'. All this is nothing more than the usual political propaganda of politicians (cf. the 'rogue states'), which can only be clarified in a technically extremely complex way.
Basically, a typification of perpetrators according to script kiddies, freaks, hackers, crackers, etc. seems outdated. The diverse and complex attack possibilities require competencies and personnel in all areas of cybersecurity that cannot be provided by individual companies, municipal administrations or private individuals.
In the last 5 years, companies have developed internationally that carry out new attack procedures developed worldwide according to the motto 'Crime as a Service (CaaS)’ against payment for clients.
A distinction between perpetrator groups such as script kiddies, insiders, hackers, hacktivists, cybercriminals, state-sponsored groups, 'intelligence agencies' (government institutions such as security agencies) are a thing of the past: Increasingly, hacking groups are commercialized - i.e., attacks are carried out by specialized companies under contract for a fixed fee or a revenue share of, say, 30% (ransomware). A corporate structure with minimal departments such as personal, marketing, accounting and production etc. is in place. Thus, it is carefully analyzed whether and how the company intended as a victim is actually liquid to the desired extent (profit orientation). The personnel strength of attack companies is up to 20 employees - with up to 15 IT specialists; free-lancers are brought in for special tasks.
3. Affected parties
Many U.S. federal ministries and companies have come forward or been published. The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik BSI) has informed affected German companies. In fact, probably 18 - 35 thousand SolarWinds customers are affected, with a total of more than 300,000 worldwide.
4. Attack targets
The reports about reached attack targets are diffuse. Apart from marketing statements, it must therefore be assumed that valuable company data were spied out (security tools, exploits, medical devices) and that manipulations were also carried out on control data of production processes (IoT) for vaccine production and for the production of chemicals and medicines: Sabotage. Use for terrorist purposes cannot be ruled out - but has not yet been proven. One of the targets is likely to be data in (private and public) clouds (e.g. Microsoft Office 365 accounts).
5. Attack sequence
Overall, this hack seems to have a technical significance comparable to the ongoing (!) hack on the German Bundestag, Stuxnet or NSA. These attacks together show used techniques of the state of the world attack technology; here only the SolarWinds hack is referred to:
A. The first evidence of unauthorized manipulation of Orion updates dates from October 2019 - also about 14 months before the attack detection.
B. The exploited attack points of SolarWinds systems are as yet undisclosed or even unidentified. The only possible attack points are unpatched, unpublished, or even undiscovered vulnerabilities. Experience shows that unpublished (zero-day vulnerabilities) - at least vulnerabilities not known to SolarWinds or at least not patched - are exploited for this purpose (initialization of the attack: March to June 2020). As long as this entry point is not identified and patched, the following steps can be repeated at will by the attackers.
C. The two (or more) groups of attackers make themselves independent of this vulnerability by installing (at least) two backdoors in the SolarWinds system. These backdoors are not published or identified by SolarWinds.
D. To make the tampered update appear authentic, the update is correctly digitally signed. Code signing is one of the most important security measures of global software companies. If the signature can be forged, it opens the door to any abuse of authentication and integrity checking in the first place.
E. In the source code of the update, the malicious code is obfuscated (steganography); in operation, the runtime environment is checked to see if it is a corporate network or, say, an analyst's workstation.
F. With an update for the SolarWinds Orion Business Software manipulated with almost 4,000 lines of code, a backdoor was installed in the customer system (Orion Monitoring Software) for the first time. As long as a backdoor is not identified and closed, the following attack steps can be repeated at will. This applies analogously to the second backdoor that has been published meanwhile, as well as to any further backdoors.
G. Further backdoors are realistic. As long as not all backdoors are identified and patched, further similar attacks must be expected.
Through the backdoor, further - possibly also updated - code from a command&control server is infiltrated or a (also permanent) connection between attackers and the target system is generally established. Thus, files are transferred, executed, the system is parameterized, system services are activated and deactivated, and computers are rebooted. The transport protocol is similar to the SolarWinds protocol.
H. The backdoor is conveniently embedded in one of the SolarWinds modules installed in the target system. If the attackers know of other software (such as standard software from vendors like Microsoft) in the target system, the backdoor can be installed there as well. An attack lasts as long as the backdoor can be exploited. In other words, the built-in backdoor is the linchpin. Attackers build in several backdoors for resilience reasons; after identifying a (first) backdoor, the victim often believes that the attack has been repelled and is therefore over. In some cases, they even ask for 'proof' why they are still looking for further backdoors.
Of course, further steps by the attackers are possible, such as copying and deleting (all) data of the attack victim and encrypting (ransomware). Copying of security information is especially relevant when unpublished security holes are collected - e.g. for law enforcement purposes. Even before the investigation was completed, such theft was denied by FireEye.
I. After this attack was discovered, the backdoor was identified by the manufacturer and closed with a (signed patch); it can be assumed that the attackers do not use the (closed) back-door anymore. At this time we can only speculate about the use of other backdoors.
J. There is often more than half a year between the installation of the backdoors and their exploitation - the period can also last up to 18 months. The decisive factor for this duration is that the attackers want to be sure that the victim does not notice their attack.
Basically, it cannot be proven that a system is backdoor-free. This means for the mentioned hacking cases like NSA, Bundestag a proof cannot be provided. And it also does not mean that the cases are actually closed. However, the attackers will move cautiously not to give any hint of their activities.
6. Damage and amount of damage
No serious damage assessment can be made because of the person-year effort. Official estimates are likely to remain secret.
The attackers also used novel malicious code that was not (yet) stored in the Department of Homeland Security's (DHS) multi-billion dollar intrusion detection system 'Einstein'.
A cleanup of the known manipulations is expected to take far more than 6 months.
However, the USA also attacks other states in this form.
7. Protective measures after attack detection
The manufacturer recommends updating to the latest Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of the environment. However, it is doubtful whether a simple update of the Orion Platform is sufficient to eliminate an infection, given the complexities involved. Anyone who has used the compromised software builds has no choice but to check and forensically analyze the affected systems. The signatures of the two published backdoors are available for this purpose.
Identifying backdoors is easy if they are at least partially known, as in this case. It is more difficult to identify more backdoors, especially those that have not yet been detected or have not yet been published. The latter requires a sophisticated methodology. It is easier to identify backdoors that misuse documented input or output interfaces.
The scope of recovery measures depends on the value of the processed data and controlled processes (risk analysis) and ranges from a simple update of the Orion software to immediate disconnection from the Internet, installation of new devices and software, and a check of all stored data; after all, attack software can be stored anywhere - in (standard) software, in firmware and microcode of devices and controls, and also in data. Only after a new really comprehensive check can the system be put back into operation.
Simply attempting to restart without further action can be negligent. Anti-virus programs and installing the latest updates etc. can also help against this particular attack. However, these measures are unlikely to detect modifications to the attack. Affected parties should carefully consider whether the successful attack should be made public.
8. Preventive measures
Commercial and government intrusion detection systems are of little use if they fail to detect documented attacks. Legal measures such as the requirement to report attacks within 60 calendar days fall completely flat in the face of detection of attacks only after at least 6 months up to 18 months - 13 months in the SolarWinds case. The impression is created that the U.S. authorities are developing excellent attacks, but are not in a position to adequately protect themselves against attacks by third parties.
In Germany, great emphasis is placed on surveillance (decryption of all communications) of citizens - monitoring Internet traffic and protection against criminals seems neglected. The recurring crypto debate can therefore be described as a distraction of citizens from the real risks of the Internet.
Politicians must ask themselves how they intend to guarantee the fundamental right to physical integrity - for example, in hospital cases and in the supply of vaccines. Attacks such as the SolarWinds case discussed here can no longer be detected, investigated or even repelled, even by well-funded companies.
The aim of politics must be to identify attacks and warn companies and authorities in good time by pointing out previously unpublished security loopholes, backdoors and covert channels. Such an initiative belongs in the IT security law.
Two basic techniques for identifying backdoors and covert channels are the analysis of a system's resources and a thorough static source code analysis. Experience shows that only 30% of covert channels can be detected thanks to tools.
Not very helpful is the Microsoft suggestion to create a signature about the attack practiced in SolarWinds and compare it with current data streams - comparable to anti-virus programs. This may detect the SolarWinds hack, but hardly any other.
A constructive approach to the topic is the 'Internet Governance Forum' (IGF) of the United Nations and the 'Council to Secure the Digital Economy' (CSDE) of the IT and telecom industry.
9. Final assessment
The total damage can only be estimated by those affected (companies and authorities) with great effort - and only if logs have been created automatically at various levels.
Further, attack vectors - beyond the 2 published backdoors - are still likely to be identified - possibly not even using the Orion software; in any case, all statements such as "was not spied on, not sabotaged" are not technically justified. In addition, the 'usual' security errors can be seen, such as publication of passwords, too long reaction times after malware detection.
If the impression is given here that this case is one of the few exceptional ones, the impression is wrong. Comparable attacks - perhaps not with this scope - are commonplace. Accordingly, 5 days after the case was published, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive asking U.S. agencies using SolarWinds products to forensically analyze the case and block network traffic to addresses outside the organization. Agencies without the appropriate expertise should immediately shut down the products due to possible compromise.
This paper represents the released executive summary of a confidential audit report security testing a German company.
 Prof. Dr. Hartmut Pohl, Geschäftsführer der IT-Sicherheitsberatung softScheck GmbH Köln – Sankt Augustin
 For example, the source code base of Windows (Microsoft) was successfully accessed (https://bit.ly/2JA91AC); so far unconfirmed (but probable) are accesses to the supply chain, which - as with the access to the SolarWinds supply chain - enabled backdoors in over 85% of all computers in the world. The political and economic consequences were studied decades ago (https://bit.ly/3rK8ZHN), but were not understood: Worldwide, almost all computers and thus the Internet can be shut down by attackers within a few days or even abruptly. Terrorist interests (sabotage) cannot be ruled out.
 A rough (unconfirmed) overview of CISA can be found on the Internet (https://adobe.ly/386Cvj1): Belkin, Cisco, CrowdStrike, Deloitte (since June 20019), FireEye (with CIA involvement), Intel, Nvidia, Siemens, VMware. A number of US government agencies were also compromised by the malicious software. For example, the hackers reportedly managed to penetrate the Department of Homeland Security, the Department of Treasury, the Department of Commerce and the Department of Energy, and the systems of the U.S. Atomic Weapons Agency, airport networks such as Austin, the NSA, ... Thus, the sectors affected are telecommunications, aerospace, and defense and health care. Furthermore, companies in Great Britain and Turkey are mentioned, as well as cloud/hosting providers in particular, such as Amazon, DigitalOcean, Microsoft Azure. Also, the UK National Health Service, the European Parliament and NATO.
Classic ransomware attacks, on the other hand, seem to be those on Aida, Funke, Hetzner, Symrise, etc. The German government stated that there were no accesses to its systems.
Simultaneously, Microsoft has also admitted to a successful attack - although it has not published how long the attackers have been active in Microsoft networks. (https://reut.rs/352s1PQ)!
Since the attack took place months ago, some companies no longer have the forensic data that is essential for a full investigation.
 https://bit.ly/38Prwd3, https://on.wsj.com/3hIujZG
 For reasons of practicality, the message (in this case the update) is first hashed and this hash value is encrypted into a check digit using a (strictly secret) private key from SolarWinds. Only with the corresponding public key the check digit can be decrypted again, so that the update appears authentic from SolarWinds and unchanged. The unauthorized use of the signature method therefore requires that the attackers could read and use the private key without authorization!
 Backdoor or trapdoor. Concealed (undocumented) sequence of instructions (programs, program parts in hardware, firmware, microcode and/or software) that enables access to an IT system by bypassing the security system (access control system).
 Therefore, a kill switch was installed on the associated command & control server, which automatically deletes the back-door when called by the manipulated software. https://bit.ly/350NqZQ
 Web shell 'Supernova' embedded in Orion code by another attacker.
 In June 2019, The New York Times reported that U.S. Cyber Command had penetrated Russian electric utilities deeper than ever before and deployed malware. https://bit.ly/38MwOG3
 Covert channel. Logical channel that is not intended for information transmission - nevertheless enables unauthorized and covert (non-documented) transmission, i.e. exchange of information and thus violates the security policy of the IT system. Two classes of covert channels are distinguished covert storage channels and covert timing channels. A covert channel is a channel that allows information to flow between at least two cooperating entities in a manner that is contrary to the security objectives - without being controllable by access control, i.e. it violates the security policy.